RE: LDAP query limit in AD?

[Brzezinski, Paul J]

A F -

I'm certain I used code or doco [or a book?] that was authored by Steven 
Manross.  I ran into the same issue when I promoted a solution from a 
development environment to production.  Development had < 1000 objects of 
interest, production exceeded the limit of 1000 per query.  I ended up using 
the paged method that Steven mentioned in his post.

My apologies for top-posting.

Here's a sequence of calls that I used to query AD for printQueue objects.  In 
our environment there's more than 1000.

use constant LDAP_SIZELIMIT => 0;
use constant LDAP_SCOPE => 'sub';
use constant LDAP_FILTER => '(objectCategory=printQueue)';
use constant LDAP_ATTR => 'portName';
use constant PAGE_SIZE => 500;

#
# sub makeBaseDN takes a DNS-style domain and turned it into the X.400 [or is 
it X.500] style format.
#

  my( $ldapHost, $ID, $PW ) = @_;
  my( $ldap ) = Net::LDAP->new( $ldapHost ) or die "$@";
  my( $mesg, $page, $cookie, $objCount ) = ( undef, undef, undef, 0 );
  my( @args ) = ();

  if ( length( $ID ) == 0 || length( $PW ) == 0 ) {
    printf $tee "%s: an ID and password must be specified to bind to the LDAP se
    exit -1;
  }

  # bind to a directory with dn and password
  # NOTE: bind() method fails if the connection cannot be completed because of n
  #       failure is "Can't call method "bind" on an undefined value at getPrint
  $mesg = $ldap->bind( $ID, password => $PW );

  # NOTE: failure occurs here when $ID and/or $PW is incorrect, failure is:
  #       80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error
  $mesg->code && die $mesg->error;
  $page = Net::LDAP::Control::Paged->new( size => PAGE_SIZE );

  @args = (
            Sizelimit => LDAP_SIZELIMIT,
            scope     => LDAP_SCOPE,
            base      => &makeBaseDN,
            filter    => LDAP_FILTER,
            attrs     => [ LDAP_ATTR ],
            control   => [ $page ],
  );

  while( 1 ) {
    $mesg = $ldap->search( @args );

    last if ( $mesg->code && $mesg->code != 4 );

   foreach my $entry ( $mesg->entries ) {
      my $dn = $entry->dn();
      foreach my $attr ( $entry->attributes ) {
        my $value = $entry->get_value( $attr );
        $value =~ s/^IP_//;
        printf QUE "%s\t%s\n", $value, $dn;
        printf IP "%s\n", $value;
      }
    }
    $objCount += $mesg->count;

    last unless my( $resp ) = $mesg->control( LDAP_CONTROL_PAGED );
    last unless $cookie = $resp->cookie;
    $page->cookie( $cookie );
  }

  if ( $cookie ) {
    printf $tee "INFO: query interrupted: %s: %s!\n", $mesg->code, $mesg->error;
    $page->cookie( $cookie );
    $page->size( 0 );
    $ldap->search( @args );

    if ( $mesg->count && $objCount == 0 ) {

    foreach my $entry ( $mesg->entries ) {
      my $dn = $entry->dn();
      foreach my $attr ( $entry->attributes ) {
        my $value = $entry->get_value( $attr );
        $value =~ s/^IP_//;
        printf QUE "%s\t%s\n", $value, $dn;
        printf IP "%s\n", $value;
      }
    }
    $objCount += $mesg->count;
  }

  if ( $objCount ) {
    # query actually returned something
  }

  $mesg = $ldap->unbind;  # take down session



--
Paul J. Brzezinski
Integration Engineering - GM
HP Enterprise Services
Telephone +1 248.365.9615
Email paul.brzezin...@hp.com<mailto:paul.brzezin...@hp.com>

From: perl-win32-admin-boun...@listserv.activestate.com 
[mailto:perl-win32-admin-boun...@listserv.activestate.com] On Behalf Of A F
Sent: Thursday, March 17, 2011 2:54 PM
To: Steven Manross; perl-win32-admin@listserv.ActiveState.com
Subject: Re: LDAP query limit in AD?

Even with that it only give me 1000. the recordcount seems to be always 1000 
with any kind of filter I put.
In my previous example I was expecting 1600+ users that have manager.




________________________________
From: Steven Manross <ste...@manross.net>
To: A F <perl95...@yahoo.com>; perl-win32-admin@listserv.ActiveState.com
Sent: Wed, March 16, 2011 11:34:17 PM
Subject: RE: LDAP query limit in AD?

Your code should pull all the users with a specified manager.

While there is a limit of 1000 objects that AD will pull back in an AD
query, we've written a paged query (  $Cmd->{Properties}->{"Page Size"}
= 99), to get around that limitation so I would start by modifying your
query to change:

(&(objectclass=User)(manager=*))

To:

(objectclass=User)

And note the differences of results..  I am guessing that will show your
missing 1000+ users.

HTH
Steven
________________________________

    From: A F [mailto:perl95...@yahoo.com<mailto:perl95...@yahoo.com>]
    Sent: Wednesday, March 16, 2011 11:09 PM
    To: Steven Manross; 
perl-win32-admin@listserv.ActiveState.com<mailto:perl-win32-admin@listserv.ActiveState.com>
    Subject: LDAP query limit in AD?


    Is there a limit on the number of record when doing a AD query
with LDAP?
    I am getting only 1000 records from this script. We have more
than 2000+ users in our AD.
    Any idea how to increase the limit to get everything?


    use Win32::OLE;
    my $RootDSE = Win32::OLE->GetObject("LDAP://RootDSE");


    $dc = $RootDSE->Get("DnsHostName");
    print "$dc\n";
    query_ldap("<LDAP://" . $dc .
">;(&(objectclass=User)(manager=*));displayname,distinguishedname;subtre
e",$objects);

    print "recordcount = ".$objects->{RecordCount}."\n";
    while (!$objects->{EOF}) {

getattributes($dc,$objects->Fields("distinguishedname")->{Value});
      $objects->MoveNext();
    }
    sub query_ldap {
      my $ldap_query = $_[0];
      my $error_num;
      my $error_name;
      my $RS;
      my $Conn = Win32::OLE->new("ADODB.Connection");
      if (Win32::OLE->LastError() != 0) {
        print "Failed creating ADODB.Connection object
(".Win32::OLE->LastError().")\n  -> $ldap_query\n";
        return 0;
      }
      $Conn->{'Provider'} = "ADsDSOObject";
      if (Win32::OLE->LastError() != 0) {
        print "Failed setting ADODB.Command Provider
(".Win32::OLE->LastError().")\n  -> $ldap_query\n";
        return 0;
      }
      $Conn->{Open} = "Perl Active Directory Query";
      my $Cmd = Win32::OLE->new("ADODB.Command");
      if (Win32::OLE->LastError() != 0) {
        print "Failed creating ADODB.Command object
(".Win32::OLE->LastError().")\n  -> $ldap_query\n";
        return 0;
      }
      $Cmd->{CommandText} = $ldap_query;
      $Cmd->{Properties}->{"Page Size"} = 99;
      $Cmd->{ActiveConnection} = $Conn;
      $RS = $Cmd->Execute();
      if (Win32::OLE->LastError() != 0) {
        print "Failed Executing ADODB Command object
(".Win32::OLE->LastError().")\nExecuting ADODB Command ->
$ldap_query\n";
        return 0;
      } else {
        $_[1] = $RS;
        return 1;
      }
    }
    sub getattributes  {
      my $dc = $_[0];
      my $dn = $_[1];
      my $adsuser = Win32::OLE->GetObject("LDAP://$dc/$dn") || die
("Can't find user: ".Win32::OLE->LastError()."\n");
      print "$adsuser->{cn}\t";
      print "$adsuser->{EmailAddress}\t";
      print "$adsuser->{department}\t";
      print "$adsuser->{PhysicalDeliveryOfficeName}\t";
      print "  Manager: $adsuser->{Manager}\n";
    }






_______________________________________________
Perl-Win32-Admin mailing list
Perl-Win32-Admin@listserv.ActiveState.com
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs